b'DOE F 1325.8\n(08-93)\nUnited States Government                                                        Department\n\n\nMemorandum\n         DATE:   September 20, 2006                          Audit Report Number: OAS-L-06-20\n    REPLY TO\n     ATTN OF:    IG-34 (A06TG036)\n\n    SUBJECT:     Special Report on "The Department\'s Security over Personally Identifiable\n                 Information"\n           TO:   Chief Financial Officer, CF-1\n                 Chief Human Capital Officer, HR-1\n                 Chief Information Officer, IM-1\n\n                 INTRODUCTION AND OBJECTIVE                            *\n\n                 The Department of Energy (Department) maintains\'numerous information systems\n                 that contain personally identifiable information (PI). In response to recent\n                 security incidents involving the loss or compromise of sensitive personal\n                 information by Federal agencies, the Office of Management and Budget (OMB)\n                 issued a memorandum on June 23, 2006, recommending that agencies take action\n                 to strengthen controls over the protection of PII within 45 days. The actions\n                 focused on ensuring that PII was adequately protected when transported or\n                 remotely accessed. The guidance also recommended that all computer-readable\n                 extracts from databases containing sensitive data be tracked and promptly erased.\n                 when no longer needed.\n\n                 In response to a request from OMB, the Office of Inspector General (OIG), in\n                 coordination with the President\'s Council on Integrity and Efficiency (PCIE),\n                 performed a review of the Department\'s controls over the protection of PI. The\n                 review was based on a PCIE developed standardized guide designed to test the\n                 implementation of OMB guidance and related National Institute of Standards and\n                 Technology (NIST) requirements. The results of our limited scope review,\n                 presented below and in the attached reporting template, will be combined with\n                 those of other Agency Inspectors General and used by the PCIE to prepare a report\n                 on the status of PII protections within the executive branch.\n\n                 CONCLUSION AND OBSERVATIONS\n\n                 Although the Department has made progress and has indicated that it plans to fully\n                 implement needed controls, our review found that :ecently developed PI policies\n                 were missing certain key components and that implementation was, so far,\n                 incomplete.\n\x0cUU/21/UU   UB:1Z    rAAd   3U1   9UJ   4000\n\n\n\n\n                                                  Departmental Efforts\n                                                                                    The Office of the\n                   The Department has taken several positive steps to protect PII.\n                                                                                          (DOE CIO\n                   Chief Information Officer (OCIO) issued Department-level guidance\n                   Guidance CS-38, Protectionof Personally IdentifiableInformation, on July 20,\n                                                                                all Federal and\n                   2006), establishing requirements for the protection of PI in\n                                                                             controlled by each of the\n                   contractor operated information systems. Organizations\n                   Department\'s Under Secretaries have also issued separate and complementary\n                                                                                   are implemented.\n                   guidance designed to ensure that required protective: measures               actions\n                   Work is underway to deploy these recently developed controls and include\n                   such as utilizing two-factor authentication for remote access and installing\n                   encryption capabilities on laptop computers.\n\n                   Various program elements have also begun performing internal reviews to\n                   determine whether controls had been implemented a;d identify needed corrective\n                   actions. For instance, a review conducted by the Office of the Chief Financial\n                   Officer identified a number of activities that have b-dn or will be taken to meet\n                   security requirements, including the installation of Incryption software on all\n                                                                                              all systems\n                   laptops and the development of a plan of action and milestones to bring\n                   into compliance. In addition, the Office of Management     completed   a review   of\n                                                                                         safeguards to\n                   policies and processes to ensure that the Department had adequate\n                                                                                     access to, PII.\n                   prevent the intentional or negligent misuse of, or unauthorized\n                   Although this management review did not include formal recommendations, it did\n                   identify certain areas that needed improvement.\n\n                                                Policies and Implementation\n\n                    Even though the Department has developed policies for protecting PI that is\n                    transported or accessed remotely, this guidance was not complete. While each of\n                    the policies we reviewed prescribed certain controls for transporting PII, they did\n                    not always meet requirements established by NIST. For instance, several of the\n                    policies reviewed required that transported PI be encrypted; however, rules for\n                    determining whether the information should be transported at all were not defined.\n                    Other implementing instructions did not address issues such as controls necessary\n                    for ensuring that PII maintained on personal computers used for telecommuting is\n                     not exposed to compromise. Policies also did not always explicitly describe rules\n                     or prohibitions related to the remote download and!or storage of PII.\n\n                    Based on limited testing, we also determined that the Department had not yet\n                    implemented all the protective measures recommended by OMB and/or required\n                    by NIST. For example, NIST required risk assessments had not always been\n                    updated to ensure that all PI, whose exposure could result in a moderate or high\n                    impact, had been explicitly identified. Specifically, the results of an internal\n                    review from one program disclosed that certification and accreditation documents,\n                    including risk assessments, had not been modified to address PII issues. In\n                    addition, the programs reviewed had not implemented logging bf computer-\n                    readable data extracts from systems containing PH. Various officials told us that\n\n\n                                                       2\n\x0cwhile this step was recommended by OMB, they did not believe that it was\n                                                                          policies\npractical. Furthermore, the field sites reviewed had either not developed\naddressing all OMB recommendations or had not yet completed implementation of\nestablished policies.\n\nONGOING ACTIVITIES\n\nAlthough we have completed the tests specified by the PCIE (see attachment 2),\nour audit to evaluate the adequacy of the Department\'s protection of PII continues.\nDuring the coming months, we plan to visit additional field sites to determine\nwhether facility contractors have implemented needed protective measures. At the\ncompletion of audit field work, we will issue a follow-on report which will contain\nformal audit recommendations, as appropriate.\n\nWe appreciate the cooperation of you and your staff during the conduct of this\nreview.\n\n\n\n                                             IIC\n                                      Rickey R. Hass\n                                      Assistant Inspector General\n                                         for Financial, Technology, and Corporate Audits\n                                      Office of Inspector General\n\nAttachments (2)\n\ncc:    Chief of Staff\n       Director, Policy and Internal Controls Management, NA-66\n       Team Leader, Audit Liaison, CF-1.2\n       Audit Liaison, IM-10\n       Audit Liaison, HR-1\n       Audit Liaison, EM-33\n       Audit Liaison, FE-3\n       Audit Liaison, SC-32.1\n\n\n\n\n                                  3\n\x0c                                                                    Attachment 1\n\nSCOPE AND METHODOLOGY\n                                                            at Department\nThis review was performed between June and September 2006\n                                                 MD;   the Oak Ridge Office,\nHeadquarters in Washington, DC and Germantown,\n                                                                        Ridge,\nOak Ridge National Laboratory, and Y-12 National Security Complex, Oak\n                                                               PA and\nTN; and the National Energy Technology Laboratory, Pittsburgh,\nMorgantown, WV.\n\nTo satisfy PCIE review requirements, we:\n\n    *   Reviewed Federal regulations and Departmental directives and guidance\n        pertaining to personally identifiable. information;\n\n    *   Reviewed program level policies relevant to protecting personally\n        identifiable information;\n\n    * Held discussions with program officials froa Department Headquarters\n      and field sites reviewed, including representatives from the Offices of the\n      Chief Information Officer, Chief Financial Officer, Environmental\n      Management, Fossil Energy, Management, and Science, as well as the\n      National Nuclear Security Administration; and,\n\n    .   Analyzed information provided by the organizations reviewed to determine\n        compliance with OMB Memorandum M-06-16, Protectionof Sensitive\n        Agency Information, as well as compliance with the President\'s Council for\n        Integrity and Efficiency guidance.\n\x0c                                                                                                                                                         Attachment 2\n\n                         APPENDIX I: IG DATA COLLECTION INSTRUMENT - DEPARTMENT OF ENERGY\n\nThis data collection instrument (DCI) was developed by the FAEC IT Committee of the PCIE/ECIE to assist IGs in determining their agency\'s\n                                                                                                                                  security checklist\ncompliance with OMB Memorandum M-06-16. The data collection instrument contains three parts. The first part is based on.a\n               NIST  (see  Section 1 below). Questions  in the DCI are designed to assess Agency   requirements in the memorandum,     which are\ndeveloped  by\nlinked to NIST SP 800-53 and 800-53A. Each IGcan use the associated checklist and the relevant validation techniques        for their own unique\n                                                                               M-06-16.  Section 3 should document   your overall conclusion  as well\noperating environment Section 2 is the additional actions required by OMB\nas detailed information regarding the   type of work completed  and the scope of work performed.\n\nFor each overall Step and Action Item, please respond yes, no, partial, or not applicable. For no, partial, and not applicable responses, please\n                                                                                                                                         to provide an\nprovide additional Information in the comments sections. After the yes, no, partial, or not applicable response, IG\'s have the option\noverall response using the six control levels as defined below for the overall Step. Each  condition  for the lower level must be met  to achieve a\n                                                                                                   \'Implemented\',     the Agency must   also have\nhigher level of compliance and effectiveness. For example, for the control level to be defined as\n                                                                                                                              provided  to the Action\npolicies and procedures in place. The determination of the control level for each step should be based on the responses\nItems included in that step.\n\n\nControls Not Yet In Place- The answer would be-Controls Not Yet in Place\' ifthe Agency does not yet have documented policy for protecting Pl.\nPolicy - The answer would be "Policy" ifcontrols have b.en documented in Agency policy.\nProcedures - The answer would be "Procedures\' Ifcontrols have been documented inAgency procedures.\nImplemented - The answer would be "Implemented\' ifthe implementation of controls has been verified by examining procedures and related\ndocumentation and interviewing personnel to determine that procedures are Implemented.\n                                                                                                                                      policies\nMonitor &Tested - The answer would be "Monitor and Tested\' if documents have been examined &Interviews conducted to verify that\nand procedures for the question are implemented and operating as intended.\n                                                                                                                             and improvements\nIntegrated - The answer would be "Integrated" if policies, procedures, implementation, and testing are continually monitored\nare made as a normal part of agency business processes.\n\n\n\n\n Section One\n\n                                               Security Controls and Assessment Procedures\n\n\n\n\n  Action Item 1.1: Has the Agency verfied Information categorizationto ensure identificationof\n  personal identifiable information requiringprotection when accessed remotely or physically\n  removed?\n\n  Action Item 1.2. Has the Agency verified existing risk assessments?\n                                                                                            A-1\n\x0c                                                                                                                                                         Attachment 2\n                          APPENDIX 1: IG DATA COLLECTION INSTRUMENT - DEPARTMENT OF ENERGY\n\nComments: Not all Departmentorganizaionshad insured categorizationofsystems contaig PI In accordance with FPS 199 or updaed relevant risk\n                                                                                                                                          assessments.\n\n\n\n\n                                                                            I\n                                         exlsng organiationalpolicy that addresses\nAction Item 2.1: Has the Agency idAentified                                        the\ninformation protection needs associatedwith personally identifiableinformation\n                                                                   ttat        isaccessed\nremotely or physically removed?\n\nAction Item 2.2: Does the existingAgency organizationalpolicy address the Information\nprotection needs associatedwith personallyidentifiable informationthat Isaccessedremotely or\nphysicallyremoved?\n\n          I. ForPersonallyIdentifiable Informationphysically removed:\n             a Does the policy explicitly Identify the rules for determining whetherphysical\n                removal is allowed?\n             b. Forpersonally identifiable Informationthat can be removed, does the policy\n                require that Informationbe encrypted and that appropriateprocedures,\n               training,and accountabilitymeasures are in place to ensure that remote use\n               of this encrypted Information does not resultin bypassing the protection\n               providedby the encryption?\n\n          2. For PersonallyIdentifiable Information accessedremotely:\n             a. Does the policy explicitly identify the rules for determining whether remote\n                access is allowed?\n\n             b. When remote access is allowed, does the policy require that this access be\n                accomplished via a virtualprivate network (VPN) connection established\n                using agency-Issued authenticationcertificate(s)orhardware tokens?\n\n              c. When remote access is allowed, does the policy identify the rules for\n                 determining whether download and remote storage of the information is\n                 allowed? (For example, the policy could permit remote access to a database,\n                 but prohibitdownloading and local storage of that database.\n\n  Action Item 2.3: Has the organizationalpolicy been revised or developed as needed, including\n  steps 3 and4?\n                                                                                                                              over\n  Comments: Not all Department organizationshad establishedand/orupdatedpolicy regardingprotectionof PII, includingsafeguards\n  transportand remote access in accordancewith OMB  and NIST requirements.\n\n\n\n\n                                                                                                A-2\n\x0c                                                                                                                                               Attachment 2\n                         APPENDIX 1: IG DATA COLLECTION INSTRUMENT - DEPARTMENT OF ENERGY\n\n\n\n\nAction Item 3.1: In the Instance wherepersonallyidentifiable information is transportedto a\nremote site, have the NIST Special Publication800-53 security controls ensuring that information\nis transportedonly in encrypted form been implemented?\n\n\n      SEvaluation could include an assessment o tools used to transpor P1foruse of encryption.\n\nAction Item 3.2: In the instance where Phl is being stored at a remote site, have the NIST SP 800-\n53 securiiy cotnruis estiuingy that inf.*..-., is      d sy in -     pte f.     ke\nimplemented?\n       * Evaluation could include a review of remote site faciliies and operations.\n                                                                                                                                        when\nComments: We found thatnot all of the field sites reviewed had ensured that personally Identifiable Information was adequatelyprotected\nbeing transportedor stored offsite.\n\n\n\n\n                                                                                           A-3\n\x0c                                                                                                                                                     Attachment 2\n\n                          APPENDIX I: IG DATA COLLECTION INSTRUMENT - DEPARTMENT OF ENERGY\n\n\n          If personally Identifiable information is to be transported and/or stored offsite\n                      follow Action Item 4.3, otherwise follow Action Item 4.4\n\n\n\n\n    Action Item 4.1: Have NIST Special Publication800-53security controls requiringauthenticated\n    virtualprivate network (VPN) connection been implemented by the Agency?\n\n\n           \' Evaluation could include a review of the configuration of VPN application(s).\n\n    Action Item 4.2- Have the NIST Special Publication800-53 security controlsenfordng allowed\n    downloading of personally identifiableinformationbeen enforced by the Agency?\n\n\n             *Evaluation could Include a review of controls for downloadingPII.\n\n          If remote storage of personally identifiable Information is to be permitted follow\n.                         Action Item 4.3, otherwise follow Action iem 4.4.\n\n\n    SAction Item 4.3: Have the NIST Special Publication800-53 securitycontrols enforcing encrypted\n    remote storage of personally Identifiableinformation been implemented by the Aency?\n\n\n    Action Item 4.4: Has the Agency enforcedNIST Special Publication800-53 security controls\n    enforcing no remote storage of personallyidentifiable information?\n\n    Comments: We found thatnot all Departmentelements reviewed had implemented adequatecontrols over remote access to personally\n                                                                                                                                      downloads of\n    identifiable information. Specifically, not all organizationshad implemented two-factorauthenticationfor remote access, monitored\n     informationfrom databasescontainingpersonallyidentifiableinfonnatiorn orensured that remotely stored PII was encrypted.\n\n     (The source for all the control steps above is NIST SP 800-53 and SP 800-53A assessment\n     procedures.)\n\n\n\n\n                                                                                             A-4\n\x0c                                                                                                                        Attachment 2\n                                                                                  ENERGY\n                        APPENDIX 1: IG DATA COLLECTION INSTRUMENT - DEPARTMENT OF\n\nSection Two\n\n\n\n\n1.Has the Agency encrypted all data on mobile computers/devices which cany agency dataan\nunless the data is determined to be non-sensitive, in writing by Agency Deputy Secretary or\nindividualhe/she may designatein writing?\n                                                                                 the factors is\n2. Does the Agency use remote access with two-factor authentication where one of\nprovided by a device separate from the computer gaining access?\n                                                                                requiring\n3. Does the Agency use a fime-out function for remote access and mobile devices\nuser re-authentication after 30 minutes nactivity?\n\n4. Does the Aoency log all computer-readable data extracts from databases holding sensitive\ninformation and verifies each extract including sensiffve data has been erased wnmin vudays u\nits use Is still required?\n                                                                                           or received the necessary.\n Comments: We found that not all Department elements had encrypted mobile devices\n                                                                           had not been implemented   at all\n waivers at the time of our review. In addition, two-factor authentication                                    data\n                                          of  the organizations reviewed  were logging all computer-readable\n organizations. We also found that none\n extracts from databasescontaining sensitive information.\n\n\n\n\n                                                                                           A-5\n\x0c                                                                                                                                                                                   Attachment 2\n\n                        APPENDIX I: IG DATA COLLECT\'ON INSTRUMENT - DEPARTMENT OF ENERGY\n\nSection Three\n\nTo assist the PCIE/ECIE in evaluating the results provided by individual IGs and Increating the\ngovernment-wide response, please provide the following information:\nType of work completed (Ie., assessment, evaluation, review, Inspection, or audit).\n\n\n\n\nScope and methodology of work completed based on the PCIE/ECIE review guide Step 2\npage 4.\n\n\n\n\n                                                  -     Assessment Methodologies Used to complete the DCI Sections\n                                                                   \xe2\x80\xa2-                                                             ark All That Apply\n\n                                                                                                                              Section One                                Section\n                                                                                                                                                                          Two\n                                                                                                         Step 1                  Step 2                Step 3   Step 4\n\n                                                                                                           F                        C\n                                                                                                                                    C                    C\n                                                                                                                                                         C        C\n                                                                                                                                                                  C         C\n                                                                                                                                                                            C\n Interviews (GIFIC)                                                                                        F\n        --                                                                                                  e                       C                    G        G         F\n                                                                                                                                                                            F\n Examinations (G/FIC)                                                                               _C                                                   G        G\n\n Tests (Independently verified - YIN)                                                                      N                        Y                    N        N         N\n\n\n\n Assessment Method Descriptions consistent with NIST SP 800-53A - Appendix D pages 34 - 36.\n G = Generallzed. F = Focused. C = Comprehensive. Y Yes. N = No.\n\n                                                                                                      to placingyour results in the propercontet.\n OSM Naative: Pleaseaddress the coverage of your assesment, and includeany connentsyou deem pertinent\n\n\n\n\n  Overall conclusion statement.\n\n\n\n\n                                                                                         A-6\n\x0c'